Vendor description:-------------------"By 2015 we were frustrated that the free internet we loved was underthreat.As experts in online security we believed we could solve this problem. So wecame together as a team to make SwitchVPN, a simple and powerful app to keepthe internet free. SwitchVPN is simple. Install it on your phone, tablet orlaptop, then just switch it on to keep the internet free. SwitchVPN ispowerful.Our exclusive VPN Service technology is constantly being upgraded by adedicatedteam of internet security experts."

Source: https://switchvpn.net/

Business recommendation:------------------------By exploiting the vulnerability documented in this advisory, an attackercan fully compromise a MacOS system with an installation of the SwitchVPNclient.

Users are urged to uninstall the SwitchVPN client for MacOS until theissues havebeen fixed.

After installation or an update, the script "fix_permissions.sh" is run bythe application. This script changes the owner of the main applicationbinariesto root and sets them to world-writable. Additionally, the SUID bit is setforanother sensitive binary in the application folder. This configurationmakes itvery easy to escalate privileges to root.

After the installation or update of SwitchVPN, the following script is run:

After statically analysing the "SwitchVPN" binary, it became clear, that itruns the "compose8" SUID root binary. Further analysis showed, that"compose8"subsequently runs the "SwitchVPN_GUI" binary and since it's world-writable,anattacker can exploit the situation to escalate privileges.

Proof of concept:-----------------1) Privilege Escalation VulnerabilityA situation like the one described above provides a wide range ofpossibilities for escalating privileges to root. A quick and easy way is towrite the following shell script to "SwitchVPN_GUI":

Copy the shell binary to an attacker controlled location (e.g. /tmp).Start the "SwitchVPN.app" as a local, unprivileged user. Afterwards theexecution of /tmp/shell will drop the user/attacker to a root shell: